Bug 1035006 – VUL-0: CVE-2017-1000353: jenkins: Unauthenticated remote code execution via unserialized Java

Bug 1035006 - (CVE-2017-1000353) VUL-0: CVE-2017-1000353: jenkins: Unauthenticated remote code execution via unserialized Java

(CVE-2017-1000353)
Summary:	VUL-0: CVE-2017-1000353: jenkins: Unauthenticated remote code execution via u...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	J. Daniel Schmidt
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-04-19 15:38 UTC by Johannes Segitz
Modified:	2017-05-05 11:41 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Johannes Segitz 2017-04-21 07:35:07 UTC

SECURITY-429: CLI: Unauthenticated remote code execution An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized
using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

is CVE-2017-1000353

Comment 3 Marcus Meissner 2017-04-27 15:15:57 UTC

now public